neomutt: update to 20260504.
2026-05-04 Richard Russon \<rich at flatcap.org\>
* Security
- Fix GSSAPI buffer underflow on short unwrapped tokens
- Reject percent-encoded NUL bytes in URL decoding
- Skip CN fallback when SAN dNSName entries exist (RFC6125)
- Cap POP3 UIDL responses to prevent OOM from a malicious server
- Harden POP host URL copy
* Bug Fixes
- #4836 imap: fix memory leak in `msg_parse_flags`
- #4849 Fix memmove in `mutt_str_expand_tabs`
- #4850 IMAP: enhance stability with re-entrancy protection and reconnection fixes
- #4852 Say which mailcap field we are looking for
- #4853 Don't overwrite content_type
- pager: fix crash on `uncolor *`
- pager: fix wrong line index in signature syntax realloc
- pager: fix OOB read on short log lines in `display_line()`
- pager: fix off-by-one in newline restoration
[5 lines not shown]
py-zope.proxy: updated to 7.2
7.2 (2026-04-30)
- Add support for automatically building and publishing Windows/ARM64 wheels.
- Add support for automatically building and publishing source distributions.
py-dulwich: updated to 1.2.1
1.2.1 2026-04-29
* Derive the LFS endpoint as the remote's on-disk LFS store
(``<remote>/.git/lfs`` for worktrees, ``<remote>/lfs`` for bare repos)
when ``remote.origin.url`` points at a local filesystem path or
``file://`` URL, matching git-lfs behaviour. Previously the built-in
smudge filter constructed an HTTP-style ``<remote>.git/info/lfs`` path
that did not exist on disk, leaving LFS-tracked files as pointers when
cloning from a local repo.
* Deduplicate objects when writing a multi-pack-index. Objects present
in multiple packs (e.g. after ``git gc`` creates a cruft pack) would
otherwise produce an OIDL chunk with repeated SHAs, causing ``git
multi-pack-index verify`` to fail with "oid lookup out of order".
* Extend ignorecase and precomposeunicode support to index lookups.
Make sure the start and end of the PT page ranges are aligned to the
size of what's addressable by a single PT page, thus ensuring we count
them up correctly.
ccache: updated to 4.13.6
Ccache 4.13.6
Bug fixes and improvements
Fixed a potential manifest/result cache key collision in MSVC depend mode when compiling a source file with no included files.
Improved robustness when parsing cache entry data structures.
Test improvements
Changed the remote_helper test suite to skip gracefully when the storage test helper is unavailable, avoiding failures when testing a system-installed ccache.
audio/fasttracker2: Update to 2.19
Changes since 2.18:
v2.19 - 03.05.2026
* Set audio input/output device to default during config reset
* If audio input device was set to default, properly open default
audio input device before sampling audio.
In pmap_bootstrap1(), check to see if FIXEDVA entries in machine_bootmap[]
are covered by any existing page table range, and if not, allocate additional
page table ranges to cover them.
This does not impact the one current user of FIXEDVA -- hp300 -- which
uses it to map the last page of RAM VA==PA. In the hp300 case, this
was already covered by the PTs that map the alternate SYSMAP_VA that
the hp300 uses (precisely because it needs the last VA==PA mapping).
This will eventually be used to map the I/O region VA==PA for mac68k.
Normally, we might otherwies use a TT register for that, but mac68k
runs on 68020s, so we cannot.
www/apache24: update to 2.4.67
Changes with Apache 2.4.67 (2026-05-04)
* SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap
Over-Read and memory disclosure in ajp_parse_data() (cve.mitre.org)
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects
Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to
version 2.4.67, which fixes the issue. Credits: Elhanan Haenel
* SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer
Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
(cve.mitre.org) Improper Null Termination, Out-of-bounds Read
vulnerability in Apache HTTP Server. This issue affects Apache HTTP
Server: through 2.4.66. Users are recommended to upgrade to version
2.4.67, which fixes the issue. Credits: Tianshuo Han
(<hantianshuo233 at gmail.com>)
* SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP
[102 lines not shown]
mail/postfix: update to 3.11.2
Postfix 3.11.2 (2026-05-03)
Fixed in Postfix 3.11:
* Bugfix (defect introduced: Postfix 3.11): the proxymap(8) daemon
dereferenced an uninitialized pointer after a request protocol
error. This daemon is not exposed to local or remote users.
Found by Claude Opus 4.6.
* Bugfix (defect introduced: 20260309) a change, to set the
service_name default value to "amnesiac", violated a test that
parameter names in postconf output must match 1:1 with parameter
names in the postlink script.
Fixed in Postfix 3.8, 3.9, 3.10. 3.11:
* Portability: support for recent FreeBSD, NetBSD, and OpenBSD
[25 lines not shown]
geography/pdal-lib: Update to 2.10.1
Upstream does not publish NEWS. Their release notes contain the
following particularly NEWS-worthy items, plus many bug fixes and
minor improvements.
* 2.10.0
* readers.spz and writers.spz are now plugins by @ibell13 in #4755
* 2.9.0
* support for GDAL VSI
* support for FileSpec
* remove nlohmann public API (from PDAL API)
* Multi-thread support, where query, and new options for pdal tindex
Two issues:
- Always include vmparams.h via <machine/vmparams.h>, because redirection
logic elsewhere relies on this.
- But akshually, isn't not even needed here because the code that would
use it is #if 0'd out anyway.
So, collect the garbage and ramble on.
